test: tree-wide check if all uids and gids are mapped in current userns

Tests that are running in user namespaces where not all the uids and
gids are mapped will be SKIPPED automatically, this is the case of
unprivileged which turn privileged in its userns.

We skip test since even if we have CAP_SETUID we also need the target
uid to be mapped in that userns. Well, we do not need all the uids but
we are just lazy here...

The ones that do not like CONFIG_USER_NS can also test kdbus as it was
in a container, running under root:
  # ./test/kdbus-test --mntns --pidns

With this change unprivileged running on kernel with CONFIR_USER_NS can run
kdbus tests:
$ ./test/kdbus-test --userns --uidns "0 1000 1" --gidns "0 1000 1" --mntns --pidns

(but some tests are skipped)

Signed-off-by: Djalal Harouni <tixxdz@opendz.org>

diff --git a/test/kdbus-test.c b/test/kdbus-test.c
index 14832bedd0aa20dd49dd8834ca00e98db4cb061b..0a440ab1c108588602813c34803fcb989dbc6488 100644 (file)
--- a/test/kdbus-test.c
+++ b/test/kdbus-test.c
@@ -639,8 +639,7 @@ static int test_prepare_mounts(struct kdbus_test_args *kdbus_args)
                    MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL);
        if (ret < 0) {
                ret = -errno;
-               printf("error mount() %s :%d (%m)\n",
-                       kdbus_args->module, ret);
+               printf("error mount() %s :%d (%m)\n", kdbusfs, ret);
                _exit(TEST_ERR);
        }
 

diff --git a/test/test-connection.c b/test/test-connection.c
index 4c02fc9b0911400423daf5daa53f34cf5cfeb8d0..cc9d66e8556203173053e9dad8ebcd21342ca22b 100644 (file)
--- a/test/test-connection.c
+++ b/test/test-connection.c
@@ -486,6 +486,9 @@ int kdbus_test_conn_info(struct kdbus_test_env *env)
        ret = kdbus_conn_info(env->conn, 0, "non.existent.name", 0, NULL);
        ASSERT_RETURN(ret == -ESRCH);
 
+       if (!all_uids_gids_are_mapped())
+               return TEST_SKIP;
+
        /* Test for caps here, so we run the previous test */
        have_caps = test_is_capable(CAP_SETUID, CAP_SETGID, -1);
        ASSERT_RETURN(have_caps >= 0);

diff --git a/test/test-endpoint.c b/test/test-endpoint.c
index 1c2335eec933b8f11561cb9fea1c30dcf2525db7..804931ac1c300a78388418127534fa35bec52fc9 100644 (file)
--- a/test/test-endpoint.c
+++ b/test/test-endpoint.c
@@ -322,8 +322,10 @@ int kdbus_test_custom_endpoint(struct kdbus_test_env *env)
        ret = test_is_capable(CAP_SETUID, CAP_SETGID, -1);
        ASSERT_RETURN(ret >= 0);
 
-       /* we can drop privileges */
-       if (ret) {
+       /*
+        * All uids/gids are mapped and we have the necessary caps
+        */
+       if (ret && all_uids_gids_are_mapped()) {
                ret = unpriv_test_custom_ep(env->buspath);
                ASSERT_RETURN(ret == 0);
        }

diff --git a/test/test-message.c b/test/test-message.c
index af5071c504ce3984cbf044eab63176c42a6a423c..284e80453bc5814106a55a7bec3064c6691fee7f 100644 (file)
--- a/test/test-message.c
+++ b/test/test-message.c
@@ -556,7 +556,7 @@ int kdbus_test_message_quota(struct kdbus_test_env *env)
        ret = kdbus_test_notify_kernel_quota(env);
        ASSERT_RETURN(ret == 0);
 
-       if (geteuid() == 0) {
+       if (geteuid() == 0 && all_uids_gids_are_mapped()) {
                ret = kdbus_test_multi_users_quota(env);
                ASSERT_RETURN(ret == 0);
 

diff --git a/test/test-policy-ns.c b/test/test-policy-ns.c
index 272101579b5ed1949cca4e1aa591c00a44aa22b6..abd5b922df6aabfcbff63426ec49b3b475d2bf23 100644 (file)
--- a/test/test-policy-ns.c
+++ b/test/test-policy-ns.c
@@ -29,6 +29,7 @@
 #include <sys/ioctl.h>
 #include <sys/eventfd.h>
 #include <sys/syscall.h>
+#include <sys/capability.h>
 #include <linux/sched.h>
 
 #include "kdbus-test.h"
@@ -518,16 +519,21 @@ int kdbus_test_policy_ns(struct kdbus_test_env *env)
        struct kdbus_conn *policy_holder = NULL;
        char *bus = env->buspath;
 
-       if (geteuid() > 0) {
-               kdbus_printf("error geteuid() != 0, %s() needs root\n",
-                            __func__);
+       ret = test_is_capable(CAP_SETUID, CAP_SETGID, -1);
+       ASSERT_RETURN(ret >= 0);
+
+       /* no enough privileges, SKIP test */
+       if (!ret)
                return TEST_SKIP;
-       }
 
        /* we require user-namespaces */
        if (access("/proc/self/uid_map", F_OK) != 0)
                return TEST_SKIP;
 
+       /* uids/gids must be mapped */
+       if (!all_uids_gids_are_mapped())
+               return TEST_SKIP;
+
        conn_db = calloc(MAX_CONN, sizeof(struct kdbus_conn *));
        ASSERT_RETURN(conn_db);
 

diff --git a/test/test-policy-priv.c b/test/test-policy-priv.c
index 69bf3f237a781ca90760065f710f79f13130bf98..ab515201be2af583b7774d5675d4d83d31d4850b 100644 (file)
--- a/test/test-policy-priv.c
+++ b/test/test-policy-priv.c
@@ -682,6 +682,10 @@ static int test_policy_priv(struct kdbus_test_env *env)
        if (!ret)
                return TEST_SKIP;
 
+       /* make sure that uids and gids are mapped */
+       if (!all_uids_gids_are_mapped())
+               return TEST_SKIP;
+
        /*
         * Setup:
         *  conn_a: policy holder for com.example.a